All secrets detected by a security scan should be considered compromised. Once a secret is published, anyone who had read access to the page could have obtained a copy. Locking down the permissions on the page, deleting it, or deleting all the page versions which contained the secret is a good step, but doesn’t sufficiently remediate the risk.

Soteri recommends to:

  • Change the secret.

    • If a password is found, change it.

    • If an access token is found, generate a new access token and update your services to use the new token. Once all your services have been updated, revoke the old token.

  • Delete the secret from Confluence. Secrets improperly stored in Confluence, revoked or not, send the signal to users that secrets can be stored this way.